A peer code review by another developer is mandatory before any code can be merged and, by extension, deployed.
For each validated commit, thousands of unit, integration, API, and functional tests are automatically executed.
All code changes, whether bug fixes, feature updates, or infrastructure modifications, are tested in a staging environment before being promoted to production.
Before every release, hundreds of end-to-end tests are run across all major application flows, in addition to manual validation of recent changes.
Access to the application may occasionally be suspended for maintenance operations necessary to ensure the proper functioning and continuous improvement of the service. In such cases, Elevo commits to notifying clients by email at least two days in advance of scheduled maintenance.
We use a set of tools and frameworks that help prevent the introduction of security vulnerabilities. These tools are at the core of our development process.
Our main frameworks, Ruby on Rails and ReactJS, inherently protect against common classes of vulnerabilities such as XSS, SQL injection, and timing attacks. We proactively maintain these dependencies, continuously evaluating the relevance and maturity of their updates for our codebase.
We use Datadog ASM in our staging environment to monitor the application before production deployment and receive alerts on potential issues. We also use Snyk to be notified of newly published CVEs, often cross-referenced with advisories from ANSSI (e.g., CERTFR-2019-AVI-111).
For backend static analysis, we use RuboCop, which includes a security rule set designed to identify risky patterns (RuboCop Security Docs). We are also implementing Brakeman (brakemanscanner.org) for advanced detection of potentially dangerous code patterns.
On the frontend side, we use ESLint for static analysis.
All new features undergo a Design Review, which includes a mandatory security impact assessment reviewed by the technical leadership team.
We are alerted immediately upon the publication of a CVE affecting one of our libraries or dependencies, as well as in cases of regression on known CVE fixes.
Our infrastructure partners (Scaleway, DigitalOcean, and Salesforce) also proactively patch CVEs affecting the operating systems and infrastructure they manage.
We track and prioritize all security-related tickets in JIRA, assigning a severity consistent with their potential impact.